Source: www.databreachtoday.com – Author: 1
3rd Party Risk Management
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Paying Criminals for a Promise to Delete Data Is Part of the Problem
Mathew J. Schwartz
(euroinfosec)
What will it take for victims of ransomware, extortion and other types of cybercrime to stop directly funding their attackers?
See Also: Identity Security Clinic
The latest breached business to pay a ransom to its attackers appears to be AT&T. The Dallas-based telecommunications giant is one of more than 150 victims of a campaign that recently targeted customers of cloud-based data warehousing platform Snowflake (see: AT&T Details Massive Breach of Customers’ Call and Text Logs).
On Sunday, Wired reported that a member of the hacking gang Shiny Hunters claimed that AT&T paid the group $370,000 – down from the initial $1 million demand – in return for a promise to delete the stolen data and a video of him doing so.
AT&T declined to comment on the report that it paid a ransom.
While most victims of the Snowflake customer account breaches have not yet been named, other organizations that lost data include automotive parts supplier Advance Auto Parts, Santander Bank, luxury retailer Neiman Marcus, the Los Angeles Unified School District and Live Nation Entertainment’s Ticketmaster (see: Victims of Snowflake Data Breach Receive Ransom Demands).
How many of the approximately 165 victims of the campaign targeting Snowflake customers chose to pay a ransom? If they did, it’s worth noting that criminal promises aren’t worth the paper they’re printed on. Paying attackers also validates the criminal business model, providing direct funding for future attacks.
Security experts have long urged organizations that fall victim to ransomware or data theft to never pay for abstract guarantees, such as assurances that stolen data has been deleted. Simply put, there’s no evidence ever in the history of cybercrime that every last copy of a set of stolen data has ever been deleted by criminals, despite what they might claim.
“American orgs are absolutely fueling ransomware and extortion groups over the past year by paying them … which is further fueling targeting of American orgs,” said British cybersecurity expert Kevin Beaumont in a Mastodon post.
The theft of AT&T’s data by Shiny Hunters came to light after a member of the group, who was allegedly not the individual who breached the telco’s environment, contacted a security researcher who goes by “Reddington” and asked him to serve as an intermediary with AT&T, Wired reported.
After first verifying the authenticity of the stolen information, Reddington contacted Google Cloud’s Mandiant incident response group, which alerted AT&T to the breach, after which the telco paid Reddington a fee for his negotiation services, Wired reported.
On Friday, AT&T issued its first public breach notification, warning that attackers in April stole call and text message records for “nearly all” of its customers from its Snowflake account. The stolen information pertains to about 110 million AT&T cellphone plan customers, as well as anyone who may have called or texted them. The telco also said in a Securities and Exchange Commission filing that one individual suspected of being involved in the attack has been arrested.
The stolen data could be used to identify individuals and their connection with others – based on who they called or texted and when – which leaves victims at increased risk of fraud and phishing attacks.
Despite that risk, the telco delayed its public breach notification until last week at the request of the U.S. Department of Justice. “AT&T received a national security exception from DOJ under the SEC reporting requirements,” Christopher Krebs, chief intelligence and public policy officer at SentinelOne, said in a post to the social platform X. “First such exception I’m aware of.”
An FBI spokesman confirmed to Information Security Media Group the DOJ’s request for a public breach notification delay, saying it was done “in accordance with the SEC’s rules” and on the grounds that disclosing the breach earlier would “pose a substantial risk to national security and public safety.”
While the bureau declined to comment on the arrest report, 404 Media said multiple sources have identified the suspect in custody is John Binns, an American previously arrested in Turkey.
Turkish police arrested Binns in May on suspicion of having perpetrated the 2021 breach of T-Mobile, The Desk reported. He faces a 12-count U.S. indictment, filed in 2022, pertaining to the theft of 54 million T-Mobile customer records and attempts to sell the stolen information. The U.S. has formally requested his extradition.
In August 2021, Binns claimed credit for the T-Mobile breach to The Wall Street Journal, saying he’d accessed an unprotected router to gain access to the network, after which he found credentials being stored that gave him access to over 100 servers housed in a Washington state data center used by the telco firm.
If Binns hacked AT&T in April, the ransom payment to Shiny Hunters would mean the criminals still get to profit from his attack, even if he’s incarcerated.
Who knows who they’ll collectively hit now, in pursuit of their next payday?
Original Post url: https://www.databreachtoday.com/blogs/att-allegedly-pays-ransom-after-snowflake-account-breach-p-3665
Category & Tags: –
Views: 1
